You've definitely found the weak point
of cygwin's ssh, and correspondingly
rsh (inetd) as well. It has been explained
to me by the developers that this
behavior of running the shell as SYSTEM
is a necessary evil of NT. When you run
without password authentication, what
happens is a "user context switch." There
is no login, and hence NT authentication
cannot occur. This isn't really a case of
cygwin not being robust, it is that NT
isn't robust at all.
The workaround is to compile your own
sshd. Even if you don't know C, it is
probably very clear in the source code
that the user context is not switched,
or it is not switched at the correct
time.
My experience is with rsh (and inetd).
The code clearly tries to cd to the
user's home directory as SYSTEM,
then changes context to the user, and
then executes the command. Seems pretty
brain damaged to me, but the developers
have explained that this is a "security
feature" that prevents users with
non-existent home directories from getting
to the root directory. On rsh, I really
don't care, since it is insecure to begin
with, so I am compiling my own.
The other thing you can try is to run
the sshd service as a different user,
one with the appropriate rights. Although
the cygwin developers say otherwise,
running an inetd/sshd service as SYSTEM
has serious limitations in the real world,
due to the lack of functionality in NT.
HTH,
Peter
Terris wrote:
>
> There seems to be a difference in how
> commands are run from sshd depending on
> whether password or key (I'm using RSA)
> authentication is used.
>
> I verified this by writing my own app that is used
> as my shell.
>
> This application calls
> OpenThreadToken or OpenProcessToken
> if it fails. I then call LookupAccountSid
> and write the domain and user name to
> a log.
>
> When RSA authentication is used, the SYSTEM
> account is used to run the shell. When password
> authentication is used, the shell is run under the
> corresponding NT user that logged in. It's not
> very useful for me for the shell to be run
> under SYSTEM and I don't want to use
> password authentication.
>
> Any ideas?
>
> I guess Cygwin isn't as robust as I had
> hoped it would be.
>
> Thanks,
> Terris
>
> --
> List Information: http://tech.erdelynet.com/maillist-ssh-l.asp
> List Archives: http://erdelynet.com/archive/ssh-l/
-- Your mouse has moved. Windows NT must be restarted for the change to take effect. Reboot now? [OK] -- -- List Information: http://tech.erdelynet.com/maillist-ssh-l.asp List Archives: http://erdelynet.com/archive/ssh-l/Received on Wed Oct 17 16:21:38 2001
This archive was generated by hypermail 2.1.8 : Fri Jul 29 2005 - 17:33:30 EDT